The first industry to use insurance was the marine industry. Businessmen, owners, and ship captains would meet at a coffee shop and discuss upcoming shipments, travels, and shipping news. This insurance market was built from the knowledge and data gathered from these experts interested in hedging against risk. Those willing to inherit some risk and pool their resources, coupled with a large number of informed, reliable information providers, allowed these insurance providers buyers to create a market.
Similarly, today's cyber insurers use the same building blocks to create insurance policies, which limit financial exposure to the purchaser, as well as limit catastrophic losses to the issuer. Cyber insurance can be defined as a policy which protects against financial extortion, loss of business, and liability from data breaches, as well as crisis response. In 1997, AIG wrote the first cyber insurance policy as part of their push towards specialization. The first policy created protected only against a 3rd party attack, meaning a party external from the company. These were the majority of cyber policies created through the mid 2000's. These policies were modeled after known cyber-attacks as well as an in depth look at a company's cyber defense policy. Deep dive research was done on best practice approaches to defending against security breaches, and crisis response teams were developed. A crisis response team assess the damage done to the client, develops a process to eliminate the issues and defend against the attack, and is sometimes used to develop a case for claims on the attackers.
In 2004, the first insurance policy that covered internal employee breaches was issued. This policy expanded the insurer's role and increased the user base. During the 2000's, growth models for the cyber insurance industry were greatly exaggerated, due to high demand and low supply. The supply side issues were due to a lack of substantial data on the subject. Whereas standard liability policies and reinsurance policies insured against a fairly algorithmic risk scenario, cyber risk was trickier.
At first glance, a cyber defense seems like a measurable, defined object. Like a person's height, age, or weight, this would, theoretically, give an insurer the ability to look at the likelihood of a company with certain characteristics to have a cyber breach. In reality, however, cyber threats appear more like randomized variables. The correlation of a cyber defense plan and the threat of an attack is not as high as it would be expected. This lack of correlation creates hesitance for insurers to supply policies with affordable premiums and adequate payout, thus discouraging buyers.
Today's cyber insurance market is seeing phenomenal growth, estimating 12% growth Year over Year. Policies protect against threats from inside and outside the offices and firewalls. Premiums around the industry have gone down 60%, according to Willis Insurance Services. A CBC underwriting survey shows a 50% adoption rate in the UK in 2016. But again, experts admit the growth rate should be higher. The underlying fissures causing this gap are recognized, but difficult to fix.
In Part 2 of this series, we will look at the current process of obtaining a cyber insurance policy and some of the current issues troubling the cyber insurance market today. In part three we will take a look at how IoT edge gateways play into the cyber-insurance process.